Full proxy/SWG: Provides deep, granular control of web traffic, including flexible policies for selective decryption of encrypted traffic.
Cloud access security broker (CASB): Exposes shadow IT by providing the ability to detect and report on cloud applications in use across your environment to better manage cloud adoption, risk reduction, and the ability to restrict or block apps.
Firewall-as-a-Service (FWaaS): Blocks more by seeing more with deep visibility and control for traffic across all ports and protocols for increased security efficacy
DNS-layer security: Blocks internet requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints.
Remote browser isolation (RBI): Isolates web traffic from the user device and the threat, so that users can safely access risky websites.
Secure malware analytics: Combines advanced sandboxing with threat intelligence in one unified solution to protect organizations from malware.
Cloud malware detection: Detects and removes malware from cloud-based applications and ensures that apps remain malware-free.
Securely protects all private apps, including non-standard ones that may use alternate ports/protocols, be multichannel, peer-to-peer, etc. Seamlessly delivers ZTNA and VPNaaS for the private application access.
App connectors
Provides secure connectivity and simplifies administrative tasks in establishing connectivity to private applications.
DNS Layer Security
A differentiating first line of defense.
Deploy enterprise-wide in minutes.
Block malware, phishing, CNC callbacks—from anywhere.
Prevent or limit visits to nefarious web sites from guest Wi-Fi networks.
Stop threats at the earliest point to reduce triage of alerts.
Accelerate internet access; only proxy risky domains.
Deploy enterprise-wide in minutes.
Multimode DLP
Analyze sensitive data in-line to provide visibility and control over sensitive data leaving your organization.
API-based DLP functionality for out-of-band analysis of data at rest in the cloud.
190+ built-in content classifiers including GDPR, PCI-DSS, HIPAA, PII, and PHI.
Inspection of cloud app and web traffic content and enforcement of data policies.
Detection and reporting on sensitive data usage and drill-down reports to help identify misuse.
Ability to assign DLP policies to AI applications to help users more safely use publicly available AI services like ChatGPT; protecting against IP loss or IP contamination by detecting and blocking risky content.
API-based functionality is supported on the following apps: Box Cloud Storage, ChatGPT, OpenAI ChatGPT API, Concur Invoice, Confluence, DLPTest.com, Dropbox, Facebook Messenger, Gmail, Jira, LinkedIn SlideShare, Monday, PasteBin, SalesForce, ServiceNow, ShareFile, Slack, SmartSheet, WeTransfer, WorkDay HCM, Yahoo Mail.
AMP (Advanced Malware Protection)
Detect hidden attack methods and report on malicious files.
Advanced sandboxing with threat intelligence in one unified solution.
Speed Threat hunting and incident response via single, correlated source of intelligence.
API’s to enrich security data and integrate with XDR or commonly used SIEMs.
Access to the full Secure Malware Analytics console.
Single, correlated source of intelligence to speed threat hunting and incident response.
Retrospective notification if file disposition changes (originally good / later deemed malicious).
Sandbox
Execution of malicious files.
Access to the full Secure Malware Analytics console.
Advanced threat intelligence.
Execution of malicious files in a glovebox.
Track file execution actions.
Capture network activity generated by the file.
Isolated testing environment.
RBI (Remote Browser Isolation)
RBI protects users and organizations from browser-based threats.
Shifts the execution of browsing activity from the user to a remote cloud-based virtualized browser instance to protect from Internet threats.
Website code is run separately and only a safe visual stream is delivered to the user.
Fully transparent to the end user.
Isolation of web traffic between user device and browser-based threats.
Rapid deployment without changing existing browser configuration.
Delivers secure web browsing with protection from zero-day threats.
Maintains employee productivity by ensuring safe access to risky destinations and protecting high-risk users.
DEM (Digital Experience Monitoring)
Monitor the health and performance of endpoints, applications, and network connectivity.
Key DEM insight examples:
Endpoint performance — CPU, memory, WIFI
Network performance — endpoint to Secure Access
Top 20 SaaS applications performance
User specific events
Optimize user productivity by automatically mining details on the user’s end-to-end experience, enabling the IT/security staff to rapidly resolve issues.
Deliver VPN as outsourced cloud service
Eliminate hardware installation and maintenance. (No head ends and version upgrades etc)
Supports granular per application access control.
Simplify operations with single console, agent, policy engine
Easily scale with high performance as user base grows.
Identity-based access control is available using SAML authentication through the customer’s IdP.
Endpoint posture is also evaluated;
Integration with Identity Services Engine (ISE) and support for RADIUS authentication.
Functionality examples include: Use case support (split tunneling and tunnel all support, peer-to-peer communication, trusted network detection, BYO certificate, split DNS, dynamic split DNS); multiple authentication methods (SAML, Certificate, Radius); user ease of use (always on VPN, start before logon); IT operation simplification (Local IP Pool, multiple VPN profiles).
Supports a management tunnel that is used to enable users to bring up a VPN tunnel and seamlessly authenticate to on-premises Active Directory when logging into PCs and performing password resets.
Management tunnel can be used by desktop management teams to download software updates to PCs without user VPN login.
Essentials
Secure Internet Access (SIA),
Secure Private Access (SPA),
SWG,
ZTNA, layer 3/4 firewall,
CASB,
RBI (level risky traffic) and more*
NOTE : Minimum QTY 100
Advantage
All capability in the Essential package PLUS
Layer 7 Firewall,
IPS,
DLP,
RBI (level any traffic) and more*
ENHANCED SUPPORT
Cisco Software Support Enhanced is automatically attached to all three license tiers.
Included with Enhanced support is:
Kick-off
Overview and Planning
Deployment Guidance
Ongoing Adoption Support
Periodic Security Optimization Checks
Prioritized access to Multiproduct Expertise in the Solution Support TAC
PREMIUM SUPPORT
Premium Support is an optional upgrade and recommended for customers with complex environments includes:
All Features of Enhanced
Success and service point of contact
Extended 1:1 adoption sessions
Periodic business and operational reviews
Increased support case priority over Enhanced
More details to come around services around migration. Reach out to PM if you have immediate questions.
ZScaler
ZPA is not a full replacement for VPN
Three separate dashboards vs one w/Cisco
New agent and vendor
Expensive and misleading initial pricing
Difficult to do business with / “sales arrogance”
Multiple dashboards, bad admin experience, complicated to configure
ZTNA: some apps are not supported
ZPA performance and outages
Requires budget approval before POV
Palo Alto
Weak ZTNA solution
Best for current PAN customers
Complicated, expensive, and rigid licensing model
Complicated, expensive licensing
Multiple management options
Required and expensive data lake
ZTNA security is weak, relying on firewall objects
Not design for new PAN customers
Complicated policy model for non-PAN customers
Netskope
Expensive point product
Private access isn’t replacement for VPN
Complicated admin experience
Expensive
Unified but complicated UI
Lack of VPNaaS
Limited SD-WAN capabilities / needs 3rd party
Point solution vendor
Immature Digital Experience Monitoring
Standard DNS Control & Detail DNS Logging : Advanced recursive DNS is not supported
Flexible connectivity options : Zscalar only supports Resource Connector. IPSEC tunnels are not supported.
DNS Resolver Service, Performance : In Zscalar recursive DNS has additional licensing. Netskope does not support recursive DNS.
Full DNS over HTTPS security coverage : Netskope does not support IPv6 traffic for security inspection.
Digital Experience Monitoring : Additional costs might be involved in case of Netskope & Zscalar.
https://wiki.saselab.net/integrating-google-workspace-idp-with-secure-access Integrating Google Workspace IDP with Secure Access\
https://learn-cloudsecurity.cisco.com/secure-access-product-tour Guided tour of Cisco Secure Access Dashboard
https://docs.sse.cisco.com/ Cisco Secure Access Help Center
https://supportassistant.cisco.com/ Cisco Support Assistant
https://mycase.cloudapps.cisco.com/start Manage Support Cases
Email: tac@cisco.com
By Pass Urls
www.msftconnecttest.com
www.msftncsi.com